Question Is it safe to change the default ssh port on live server

[Ko_de_Vries_(J.W.)]

Hi all Pleskians, HAPPY NEW YEAR !!

I recently (about 2 weeks ago) installed PLESK on my new VPS, running Debian 10.11
It's running great, but, i see a lot of ip's being blocked via Fail2ban, especially via ssh port 22.
The count is about a 1000 in 4 days.

Normally i change this port straight after the initial Linux installation & updates, but, you guessed it, i didn't perform this step this time.
The server is live and hosting websites with Wordpress.

My questions are :
1. If i change this port now by following KBase : https://support.plesk.com/hc/en-us/...-How-to-change-the-SSH-port-on-a-Linux-server,
(My main concern Does it effect PLESK functionality/accessability ?
2. is there anything else i need to change ?

Regards, Ko de Vries

 

[Fabian H]

All in the KBase mentioned things are the only you need.
You can safely change the port in addition to the article. Don't forget to modify your Fail2Ban-Jail for ssh if used.

 

[Kaspar]

Should not be an issue to change the SSH port on a production server. However, do make sure you've opened your new SSH port in all firewalls you are using before hand. The Plesk firewall as well as at your provider if they offer any. Otherwise you run the risk of locking yourself out

Also changing the SSH port might conflict with the build in Plesk SSH terminal. I don't use the Plesk SSH terminal myself, so I am not sure. But I have seen a couple of topics about the Plesk SSH terminal not (fully) working with on different port on this forum. (But these issues might been fixed by now, I don't know).

 

[Hex]

Let say you change it to something like 2222

Unless you specify that port every time you're dealing with standard SSH port, SSH login/SFTP/Importing websites from other servers/3rd-party extensions, it will create connections issues for you, more likely connection refused/connection timeout error message.

So you should be aware of this change all the time + firewall and Fail2Ban most be aware of this as well.

 

[tkalfaoglu]

yes in fact you should change it. just remember to tweak the firewall as well.
SSH has a nice feature that even when you do a service sshd restart, it won't disconnect the current connections.
so you can change its config, restart it, and see if you can now start a new session -- but don't disconnect the old session, keep it open.
if it doesn't work, change the config again until it does..

 

[Ko_de_Vries_(J.W.)]

Thanks for the reponse, It's clear to me.

 

[weltonw]

> I recently (about 2 weeks ago) installed PLESK on my new VPS, running Debian 10.11 It's running great, but, i see a lot of ip's being blocked via Fail2ban, especially via ssh port 22. The count is about a 1000 in 4 days.

I'd make the case it doesn't matter. Use SSH Keys (only) and if you are really concerned, run a VPN / tunneled daemon for shell access.

Else, the only thing those attempts do is burn a miniscule amount of CPU cycles before they are blocked again. Things like a login delay can help deter attempts further

 

[Gene Steinberg]

You can block external access to port 22 and set up a different port for access, but use port 22 for the internal SSH.